ab4cb361575eabbe500b1075a732280a6a43e55ae023d0152cc1c595c40d37e6

Analysis

max time kernel
141s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.fd27bedb3859a30bce806852daa55f40.exe
Size

3.4MB
MD5

fd27bedb3859a30bce806852daa55f40
SHA1

172d7a1d9d5ab7f2c3b0b23099818dc82f6c1300
SHA256

ab4cb361575eabbe500b1075a732280a6a43e55ae023d0152cc1c595c40d37e6
SHA512

f795a3af0f5d746eda6b5a61d1f9fad3b1fdde2b25388f8c4bae8d46bf305863b77bf74152863f5dd41c9b5d8c7cd2e9a13d78877a024da183af35af19bc87fc
SSDEEP

98304:5tTibykGPIVw12C2MkpuBaptbp02wAagbbw:5t+bykGPI612C2ugtt0bfgbU

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	NEAS.fd27bedb3859a30bce806852daa55f40.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX4A7B.tmp	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX4BB6.tmp	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX54F1.tmp	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX55DF.tmp	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX4B56.tmp	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX55AF.tmp	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX5530.tmp	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\RCX45D6.tmp	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX4B96.tmp	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	NEAS.fd27bedb3859a30bce806852daa55f40.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.fd27bedb3859a30bce806852daa55f40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fd27bedb3859a30bce806852daa55f40.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX4664.tmp

Filesize
5.6MB

MD5
45d7ad0d78e406d6fa3347c644ecb98a

SHA1
49a537806e0b5d8fee1db4d790086d50d93d54d5

SHA256
b9eb0ce7e7c66cd1283cf4d7750d0edeb97ab739ec00a65e3719e034b22d588e

SHA512
b7d49052b04ae97ae0c12aaed35b7bba370f6fc4f0bd2ad77081b913b000b969e300330bbdf5d1b6482485bfd3af54524eac288971f5322dd174b7bf0bb99647

Download Submit
C:\Windows\SysWOW64\DC++ Share\jar.exe

Filesize
62KB

MD5
b126345317624479f78fbf30b3a1fe5a

SHA1
655c966bf7bbf96ee49c83062d30b9dba17d693c

SHA256
8723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301

SHA512
d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
3.4MB

MD5
24bbcfdb5fad33c9a97d1218c29a7ca3

SHA1
736106f8f250726a1a41213d986a04647ccb1c09

SHA256
670e5a5ad7fdfdf229780c6191f69fea5588ef853a504126cc93a4ef6c26f767

SHA512
8c5d2386c8d52478ec737b32968b0a11c9eaf0cd2310ee752040f641649ab644254aab9d90124b6c59eb4ee1ad53dd80fff62b46674545221b5de5abfdc218c0

Download Submit
memory/2376-191-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-193-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-188-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-189-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-190-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-186-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-192-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-187-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-194-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-195-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-196-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-197-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-198-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-199-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads